| ▲ | nycticorax 19 hours ago |
| I don't agree with him 100%, but I always find Drew DeVault to be thoughtful on this topic: https://news.ycombinator.com/item?id=32936114 https://drewdevault.com/2021/09/27/Let-distros-do-their-job.... Basically, he argues that application distribution outside of the distro (a la flatpak, snap, appimage) is just a bad model. The right model is the one distros have been using for years: You get software through the distro's package manager, and that software is packaged by people working on behalf of the distro. As he says: "Software distributions are often volunteer-run and represent the interests of the users; in a sense they are a kind of union of users." The other issue, of course, is that in practice flatpaks/snaps/appimages never seem to 100% work as well as distro packages do. |
|
| ▲ | jillesvangurp 15 hours ago | parent | next [-] |
| I disagree with that. IMHO the best possible people to create a package for an application are the original developers of that software. If that software is proprietary, that also happens to be the only party that can legally do that anyway. Because it typically requires access to the source code and software redistribution requires permission. So, the model you mention only works for open source packages. And I would argue that even in the case an app is 100% open source it's a bad idea for somebody not affiliated with the core development team to be second guessing a lot of things about that application. It results in a lot of issues that aren't necessary. Like needless lag between developers releasing new software and some third party doing whatever uninvited tweaks they think are necessary, or adding their own bugs and new issues. It's why I always install Firefox in tar ball form straight from Mozilla for example. It updates itself as soon as developers OK some patch. This happens a lot and mostly for security and stability reasons. I want those patches when they release them. The things external distribution maintainers do are redundant. I trust Mozilla to do the right thing and be the most clued in about any issues regarding their own software. With proprietary stuff, I just want stuff to run with a minimum of hassle. Flatpak is trying to do too many things. It's trying to emulate an appstore. I don't necessarily like app stores. They are gate keepers. What do developers on Windows and Apple do? They put binaries on their own website. You download them. You install them. And then they run. Downloaded apps have the same rights as apps provided via app stores. The app stores don't repackage the app, they merely distribute them. It's an add on service. An optional extra. All the essentials that provide security are baked into the OS and the application package. There are a few mechanisms that windows and mac provide to make things secure. Binaries are signed, the OS has a permission model for things that need that (screen sharing, directory access to certain things, using the webcam, etc). That's the right model. That could work for Linux as well. It shouldn't require taking control of distribution or packaging by some third party. |
| |
| ▲ | boudin 14 hours ago | parent | next [-] | | Flatpak is more of a set of tools and framework. I wouldn't consider it as a store but a distribution system. Flathub is a repository, Fedora has its own repository and anybody can creates its own repo (I wouldn't call it store as there is no concept of monetisation). I wouldn't consider flatpak as a gatekeeper as there is no "team" going through some arbitrary process to allow/disallow an app. I also disagree with the fact that macos and windows did the right thing, what I found in my experience managing laptops in a company that is roughly 1/3 windows, 1/3 linux, 1/3 macos is that:
- What windows is teaching users is to download random stuff and bypass the warning screens if something is not signed. Unless there is a company policy and a third party software to update what is installed, by default things installed are a mix of up to date and not update to date software.
- Macos user do not install operating system and software updates unless a third party software is installed and force them too
- Linux users have things up to date, only distribution version updates (e.g. fedora 41 to fedora 42) are inconsistent. So my take is that, even if things on not perfect with flatpak, rpm/dnf, fwupdmgr and package manager, this is much better than having to pay for third party tools in macos and windows because of the lack of a good way to distribute and maintain apps at the operating system level. | | |
| ▲ | jillesvangurp 9 hours ago | parent [-] | | Only fedora can put stuff in their flatpak repository presumably. That makes them a gatekeeper. Why is a repository needed? If it was the same, Mozilla would be able to put a flatpak file for Firefox on their website and it would be the preferred way to install Firefox. Of course everybody (including Mozilla) can create their own repository and then you can install from any repository you like. But how is that different than just downloading whatever and installing that? And that's more of a hypothetical. Mozilla doesn't do that and doing such things is not common. What Apple and MS enforce via signatures is that what you install and run was produced by somebody with a valid certificate that passed their screening. The problem flatpak hasn't solved is that the likes of Mozilla still have no good way to distribute the most recent version of their application to all Linux users. So they put a tar ball on their website instead. | | |
| ▲ | boudin 7 hours ago | parent [-] | | Mozilla publishes firefox on Flathub and anybody can install it from there. After, I'm not sure why they don't advertise it, most apps distributed this way just have a button that do so. Fedora has its own repo, they manage it, i don't see the problem there. After it doesn't prevent adding others like flathub and the experience from a user point of view is the same. You can also provide a flatpak ref file that user can use to install. Signing app doesn't means much appart that someone paid for that and went through a process IMO, there's not much value to it from the user pov, especially when the first thing a Windows user learns is to ignore signature warnings. Have you tried using flatpak? |
|
| |
| ▲ | lucas_membrane 14 hours ago | parent | prev | next [-] | | I think that you are right about not depending on one open source OS to provide the proper depencencies, customizaion, and training wheels for every app. I have been running linux on my desktop for about 20 years, about one decade of Mint followed by the same of Fedora so far. Being a curious but fussy guy who installs lots of software to see what works, I find that I need to install a fresh OS about every 18 to 24 months. There are, I suppose, always a few programs that don't get upated by 'sudo dnf update' but do get bothered by updates to the shared libraries via the same. Perhaps there are some config files that get damaged by software bugs or power outages or system crashes or my own mistakes and carelessness. I also found out that if one loses the dnf program, one will discover just how impossible it is to pull oneself up by oneself's bootstraps. Mint was a very similar situation. Maybe not so bad for one who follows all the rules, but in those bygone days there were people suggesting that updating Mint programs with newer versions fron the ubuntu or debian repos was a good idea. And because Mint was slow to get updates, I would attempt to update some apps by downloading source and building and installing here. Last year, when I upgraded Fedora from 39 to 41, was the first time I got any OS upgrade to work instead of wiping the disk, doing a fresh install of the new OS version, and then spending a week or month trying to get my data for the installed apps (eg web browser and email) from backups. But the upgrade took much longer than it should have, because once I started running the upgrade process, I did not know that the computer sitting there dead silent with no action on the screen for about 30 hours was a sign that all was going well. Computers are evil. | |
| ▲ | Vilian 9 hours ago | parent | prev [-] | | You van havê other repos in flatpak than flathub, so in theory the devs can package their app on their repo and tell the user to install it |
|
|
| ▲ | arunkant 15 hours ago | parent | prev | next [-] |
| Application developer should be able to package and distribute the app. See how easy it is for casual user to download and install any application on windows. Maintainers cannot scale and depending on them will just hold back Desktop Linux |
| |
| ▲ | LtWorf 15 hours ago | parent [-] | | The best thing about unvetted app stores is that anyone can publish software! The worst thing about unvetted app stores it that anyone can publish software! | | |
| ▲ | ndiddy 13 hours ago | parent | next [-] | | Flathub is not unvetted. Every submission goes through human review. If a piece of software requires an unnecessary permission (i.e. if someone submits an alarm clock program that requires home folder access and internet access), it will get rejected. If a developer updates their software and changes the required permissions, the update won't get pushed to users until it goes through human review. Besides this, for open source packages, the code gets built on Flathub's build servers without internet access. The source code associated with a given Flathub package version must be either a specific Git commit (verified with a commit hash) or a release tarball (verified with a sha256 hash). This means that it's always possible to verify that the code a developer publishes corresponds to the binaries being shipped to users. Closed source packages get a big warning on their Flathub pages saying that the program's code is proprietary and not auditable. With the traditional distro packaging model, the requirements to become a maintainer are stringent and there's human review when a package is added, but there's typically no review after that point. If you'd like a recent example of the drawbacks of this system, see here: https://security.opensuse.org/2025/05/07/deepin-desktop-remo... . After the OpenSUSE security team rejected certain components of the Deepin DE for containing major security problems (including multiple root privilege escalation vulnerabilities), the Deepin maintainer smuggled them in anyway through an innocuous looking package called "deepin-feature-enable" and nobody in the security team noticed for several years. I'm not trying to call out the OpenSUSE security team here, I'm sure they don't have the resources to vet random packages. I'm saying that expecting maintainers to never ship malicious code because they went through the process to become a maintainer is a weakness of the traditional distro packaging model. | | |
| ▲ | LtWorf 6 hours ago | parent [-] | | Reading about all the crashes and stuff that generally doesn't work… doesn't seem too vetted to me. |
| |
| ▲ | tempaccount420 15 hours ago | parent | prev [-] | | Distro package maintainers are not security researchers, they don't audit the code they maintain. | | |
| ▲ | alkonaut 14 hours ago | parent | next [-] | | They do to some extent in the larger distros, but for proprietary/binary packages they don't have much chance anyway unless they are willing to do some pretty time-consuming forensics. | | |
| ▲ | tempaccount420 2 hours ago | parent [-] | | It'd be a gargantuan effort to do it for every package, most times it's just a version + hash update and maybe a test. |
| |
| ▲ | LtWorf 9 hours ago | parent | prev | next [-] | | I do, and I work at a security company. But thanks for knowing more about my life than myself, random internet person. | |
| ▲ | goodpoint 14 hours ago | parent | prev | next [-] | | This is false. | |
| ▲ | flomo 14 hours ago | parent | prev [-] | | Plus the app developers at least have some level of accountability. Like when JWZ got into it with Debian (can't link here). You might think you are running XScreensaver from the great Zawinski, but no you are actually running some weird fork from godknowswho, hopefully not Jia Tan. | | |
| ▲ | ChocolateGod 14 hours ago | parent | next [-] | | XScreensaver is supposed to hide your desktop and Jia Tan is an expert at hiding things, so I think they'd be a perfect match. | |
| ▲ | tempaccount420 2 hours ago | parent | prev [-] | | You got downvoted but yes, it's quite sad when distros release a package under the same name as the original but with their own set of patches. I think they should rename the package when they do that, even just a prefix/suffix with the distro name would be nice. |
|
|
|
|
|
| ▲ | sbt 18 hours ago | parent | prev | next [-] |
| The problem is that now you have to package for N distros. And the people who run the distro may not want to spend time on it, so you have to do it yourself. |
| |
| ▲ | Arnavion 17 hours ago | parent | next [-] | | It doesn't have to be gated by "the people who run the distro". I started packaging a few pieces of software for a distro I use because I wanted to use that software, and I don't "run" the distros in any capacity. Package maintainers aren't born that way, they become that way by volunteering, just like most everything in Linux. If you don't have even one user willing to do that for the distro they use, you probably weren't going to have users on that distro anyway. | | |
| ▲ | troyvit 9 hours ago | parent | next [-] | | > Package maintainers aren't born that way, they become that way by volunteering, just like most everything in Linux. I feel like there's a constant tug of war on this issue. If you leave it up to app developers then they have to package their app for N distros. If you leave it up to the distro maintainers then they have to compile N apps for their distro. I don't envy either group given how different distros are and how varied apps are in quality, methodology, etc. I look at Podman. In my opinion it could be (could have been?) a huge disruptor, but its RedHat (or Fedora or CentOS or whatever the hell those guys do now) versions are way higher than versions for other distributions, which creates for me (just a home user) an interoperability problem between all my different Linux boxes. RedHat if anybody has the resources to fix this but I guess they'd rather try to use it as a way to force adoption of their distro? I don't even know. Both the apps and the distros are volunteer-heavy. App packaging is a big job for either side. I'm still hopeful that Flatpak can help that job | |
| ▲ | Ferret7446 7 hours ago | parent | prev [-] | | That's a massive waste of resources and time. If you are unwilling to use tools like Flatpak, then that limits what distros you can make. e.g., in a world without Flatpak, only distros with X users can exist. In a world with Flatpak, distros with X/10 users can exist. Another way to think about it: if you want to make/use your own distro, then using Flatpak will cut down the amount of work you have to do by some large multiple. You're free to not use it, just like you're free to install custom electrical sockets in your house and make custom adaptors for every single appliance you buy. Standardization/centralization exists for a reason. |
| |
| ▲ | palata 17 hours ago | parent | prev [-] | | You're saying the exact opposite of the original point, which is: you should not package for distros, distros should package for themselves. You just distribute your sources. You are a good candidate to package for your distro, so there's that. And then for a random distro, if nobody feels like packaging for it, then it's just not there. Either there is not enough interest in your project, or there is not enough interest in the distro itself. | | |
| ▲ | curt15 10 hours ago | parent | next [-] | | > distros should package for themselves. You just distribute your sources. Is Devault basically saying that the application developer should just throw their source code over the wall and hope that other parties notice and figure out how to build it correctly? I would find that model of software distribution unsatisfying as a developer because merely distributing a source tarball and leaving the rest to middlemen makes it difficult for me to predict how my users will experience the final product. Even if my product is fully open source and free to fork, it's my reputation on the line when things don't work as intended. I would prefer to establish a more direct relationship with my users; to personally build and test my software in all environments that I support; and to hear directly from users whenever they experience problems. | | |
| ▲ | skydhash 8 hours ago | parent | next [-] | | > Even if my product is fully open source and free to fork, it's my reputation on the line when things don't work as intended I think that everyone who is worrying about that wants to apply corporate thinking on the open source model. Meaning they want to be a special thing where everything is supposed to be interchangeable. Just yesterday, I was compiling a program that hard depends on the GNU C library for just 2 functions and not even critical one. To be fair, the author said that they only test on Debian. While the linux world may be fragmented, the true differences are mostly minimal (systemd vs other init system, glibc vs musl, networking manager,…) So it’s possible to decouple yourself from these concerns if you want to. But often the developer hard depends on decision made by their preferred distro team, and create a complicated build script that only works there. | |
| ▲ | palata 8 hours ago | parent | prev [-] | | I don't know what Devault says, but here is my opinion: do not ship something you don't understand/test/use yourself. Distros should not package random open source projects they don't use/understand, and developers should not package their project for distros they don't use/understand. For both, it's like shipping untested code and the conclusion is always going to be "you should all run the same system I do" or "we should all have the exact same system, let's implement Flatpak". Developers should package their project for the distros they support (often that's just Ubuntu). Random people should package the open source projects they want to use in their distro of choice (the more popular the distro, the higher the chance that someone else has done it already). All that under the supervision of distro maintainers. |
| |
| ▲ | troupo 16 hours ago | parent | prev [-] | | > distros should package for themselves. You just distribute your sources. That's how you ended up with Erlang being split into 20+ packages on Ubuntu/Debian in the past. Because it was packaged by people who know little about erlang, and had too much time on their hands probably. And that is the main issue: you want distro maintainers to compile and package every single pieces of software under the sun, but they can't possibly know every piece of software, how it works, or how it's supposed to work. Times that by the number of distros. | | |
| ▲ | palata 9 hours ago | parent [-] | | > you want distro maintainers to compile and package every single pieces of software under the sun No. I want people who will actually use the package to package the software they need, and distro maintainer to supervise that. > Because it was packaged by people who know little about erlang Yep, people who won't use Erlang shouldn't package Erlang. But on the other hand, developers who won't use Erlang on platform X shouldn't package Erlang on platform X. The "we absolutely need flatpak because otherwise it fundamentally doesn't work" philosophy is, to me, very close to saying "we must consolidate everything under one single OS. Everybody should use the exact same thing otherwise it doesn't work". That's not what I want. I want to have freedom, and the cost of it is that I may have to package stuff from time to time. If you don't want to contribute to your distro, choose a super popular distro where everything is already packaged (and used!). Or use macOS. Or use Windows. You don't get to complain about Alpine Linux not having a package you want: you chose Alpine, that was part of the deal. | | |
| ▲ | skydhash 8 hours ago | parent | next [-] | | Alpine is a great litmus test for programs that unnecessarily depends on glibc and systemd. More often than not, it’s easy to take the arch build script, and create a package for alpine. When that fails, it’s usually for the above reason. | |
| ▲ | troupo 2 hours ago | parent | prev [-] | | > I want people who will actually use the package to package the software they need, and distro maintainer to supervise that. Erm... Your original comment said "you should not package for distros, distros should package for themselves. You just distribute your sources." > Yep, people who won't use Erlang shouldn't package Erlang. But on the other hand, developers who won't use Erlang on platform X shouldn't package Erlang on platform X. So... Who's gonna package it if you say that distros should package it? > The "we absolutely need flatpak because otherwise it fundamentally doesn't work" philosophy is, to me, very close to saying "we must consolidate everything under one single OS. Bullshit. What you advocate for is "why bother with ease of use and convenience, everyone should learn how to compile and package everything from scratch" > If you don't want to contribute to your distro The user of a package doesn't necessarily know how to package something, and shouldn't need to. |
|
|
|
|
|
| ▲ | poulpy123 13 hours ago | parent | prev | next [-] |
| > that software is packaged by people working on behalf of the distro. It is totally unreasonable to expect distros to be able to package every software in the world |
|
| ▲ | s_ting765 17 hours ago | parent | prev [-] |
| I'm glad flaptaks are getting more adoption. Application distribution needs to move from distributions because they suck at it. Due to no fault of their own. Developers should have the option to distribute their apps without middlemen. |
| |
| ▲ | pjerem 16 hours ago | parent [-] | | In fact I’d say they are perfect for distributions to be more stable. E.g. : my issue with Debian have always been that you couldn’t (easily, I know backports existed) have stable system AND fresh software. With Flatpack, you can. Now I can run my latest user softwares on a stable distribution. That’s pretty cool. There are still issues of UX. Especially when the app you are using doesn’t have enough permissions to do the job, you have no information about it and when you guess it by yourself, changing this is hard. I’d expect that Flatpack should allow apps to specifically ask for permissions in real time or when they try to access external resources like in macOS : just expose the APIs but make them wait for user approval. | | |
| ▲ | fc417fc802 10 hours ago | parent [-] | | > Now I can run my latest user softwares on a stable distribution. That’s pretty cool. I'm at a bit of a loss. Isn't the entire point of a stable distribution _not_ having cutting edge userspace? It's an inherently double edged sword. If you just wanted to mix and match you were always able to run (for example) a debian testing chroot under debian stable. Something like Nix is the more extreme version of that. The point of something like Flatpak then is either sandboxing or the distribution model (ie getting software from the original author). | | |
| ▲ | skydhash 8 hours ago | parent [-] | | These days, I’m tempted with Debian stable because of people playing cowboys with software updates, breaking workflows right and left. There’s always VMs for bleeding edge. |
|
|
|
